Modular Input - Cannot find Cert error

[PMJeffery]

Describe the bug

Modular Input cannot find the Certificate (.crt) file after configuring Modular Input

To Reproduce Steps to reproduce the behavior:

Very stock/default OPNsense firewall deployment.
Splunk Enterprise 8.2 running on Ubuntu Server 21.04, fully patched, splunkd is running as root Splunk Enteprise 8.2 running as both SH and IDX

Was able to export the apikey.txt for the default OPNsense user.

Per documentation, the documentation notes, exporting cert file from "Navigate to System > Trust > Authorities." This section has no entries (default OPNsense deployment/config), but "System > Trust > Certificates" has the default "Web GUI TLS certificate" - exported the crt file

Navigate to /opt/splunk/etc/auth/ Created new folder "opnsense_certs" Uploaded Web+GUI+certificate.crt to that folder

Per documentation, configured Account input:

Toggling "Verify Certificate" does not change the output error.

Per documentation, configured input:

Splunk search w/ Error:

If I directly specify the file name in the certificate path, it will give an unexpected error "Length of OPNSense Host should be between 1 and 50"

Seems to be a separate bug for either form input logic or Add-on Builder bug. Will file one later once we determine where the bug actually lies - TA or Add-on Builder.

SSH as root, can cat crt file and read it. Splunk running as root as well.

Other Troubleshooting Steps

Tried changing the name of the cert file to "OPNsense.crt" just in case special characters in the default name was causing issues - did not change the error message.

Moved crt file to /opt/splunk/etc/auth, changed folder path input, same error message

Restarted splunkd between troubleshooting steps

Changed Input Interval to 300 seconds and set Logging Level to "Debug" to speed up debugging process and accuracy.

Expected behavior TA-opnsense modular input will read/see crt file.

Screenshots If applicable, add screenshots to help explain your problem.

Version (please complete the following information):

• Splunk Version: 8.2.0
• OPNsense Version: 21.1.5-amd64
• OPNsense Plugin Version: N/A
• TA-opnsense Version: 1.4.1

Additional context Am Splunk Employee, if you want to reach out to me directly - mjeffery

[ZachChristensen28]

It looks like you are using an absolute path to the certificate file. Have you tried to use the relative path from $SPLUNK_HOME/etc/auth? For example, if you created a new directory in ../etc/auth called opnsense_certs and placed the certificate file in that directory called OPNsense.crt, then the value you would place in the modular input would be opnsense_certs/OPNsense.crt.

[ZachChristensen28]

In the next release I will add the ability to use absolute paths.

[PMJeffery]

I tried the relative path: https://user-images.githubusercontent.com/20860518/120081603-7ffa5a00-c08c-11eb-98e4-ca40ffc04755.png

Sorry, I blasted this with so many screenshots.

I figured the absolute path wouldn't work.

As for the cert file, I'm assuming I did it right in terms of exporting the default crt file.

Did you use the default one or did you create a new one or import a cert from someplace like Let's Encrypt?

[ZachChristensen28]

No worries! The screenshots are helpful! And thanks for your patience.

The screenshot you linked to this issue shows the absolute path of /opt/splunk/etc/auth/opnsense_certs. If your certificate is located in /opt/splunk/etc/auth/opnsense_certs, just specify opnsense_certs/<name_of_cert> for the parameter.

Example: opnsense_certs/OPNsense.crt

Not the full path of: /opt/splunk/etc/auth/opnsense_certs/OPNsense.crt

Let me know if that works.

The full path is not needed here. Next version will allow for the full path.

[PMJeffery]

I got the paths correctly in now and I am using the default/stock self-signed cert that comes with OPNsense. The original error message is gone, but now it says:

Max retries exceeded with url: /api/core/firmware/info (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1106)')))"

Turning off "Verify Certificate" does not change that error message.

[ZachChristensen28]

Thanks for also pointing this out. The first problem is that the "Verify Certificate" checkbox is broken in the code. I'll fix that right away -> issue #47.

I will also update the documentation to explain that a valid CA (Certificate Authority) certificate will be needed for certificate verification and not the full web certificate. I don't believe the default self-signed OPNsense web cert used a CA to sign the cert. This means the default cert won't be able to use certificate verification and only new certificates created with a trusted CA can be used.

[PMJeffery]

I was able to fix the python code per your email so that the default/stock cert will work. The "Verify Certificate" is unchecked, default cert is uploaded to the auth folder on my HF and it works as intended. I don't see a reason not to include a statement in your documentation that the default cert will work.